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Ransomware operators are always on the lookout for a way to take their ransomware to the 
next level. That’s particularly true of the gang behind LockBit. Following the lead of the Maze 
and REvil ransomware crime rings, LockBit's operators are now threatening to leak the data 
of their victims in order to extort payment. And the ransomware itself also includes a number 
of technical improvements that show LockBit's developers are climbing the ransomware 
learning curve—and have developed an interesting technique to circumvent Windows’ User 
Account Control (UAC). 


Because of recent dynamics in the ransomware world, we suspect that this privilege- 
escalation technique will pop up in other ransomware families in the future. We've seen a 
surge in "imposter" ransomware that are essentially rebranded variants of already-existing 
ransomware. Not a single day goes by where a new brand of ransomware does not come 
out. It has become surprisingly easy to clone ransomware and release it, with small 
modifications, under a different umbrella. 


The Ransomware Learning Curve 
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Before we jump into the synopsis of LockBit, let’s take а moment to look at how ransomware 
is developed, in general. Many families follow a common timeline when it comes to the 
techniques and procedures ransomware developers implement at each stage. This appears 
to stem from the learning curve involved in creating ransomware, and the iteration of the 
malware as the developer builds his or her related knowledge of the malware craft. 


Each ransomware seems to have an “infancy phase,” where the developer implements TTPs 
hastily just so the “product” can come out and start gaining its reputation. In this phase, the 
simplest ideas are implemented first, strings are usually plain text, the encryption is 
implemented in a way that only a single-thread is used, and LanguagelD checks are in place 
to avoid encrypting computers in CIS countries. and avoid attracting unwanted attention from 
CIS law enforcement agencies. 


After about 2 months into the ransomware operation, the developer starts implementing 
more sophisticated elements. They may introduce multi-threading, establish a presence in 
underground forums, obfuscate or encrypt strings in the binary, and there is usually a skip 
list/kill list for services and processes. 


Around 4 months into the ransomware’s life, we start seeing things get more serious. The 
business model may now switch to Ransomware as a Service (RaaS), putting an Affiliate 
program in place. Oftentimes, binaries are cryptographically signed with valid, stolen 
certificates. There is a possibility that the ransomware developer starts implementing UAC 
bypasses at this stage. This appears to be the stage the LockBit group is entering. 
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Ransomware Maturation Matrix 


Code signed, valid certificate 
Shares Enumeration 
RaaS - Affiliate model 
IOCP (Completion 1/0 Ports) 
Modifies MBR 
Threatens with data leak 
Encrypted strings 
Ransom TOR gate 
Service stop-list UAC bypass 
Process kill-list Anti-debug techniques 
Files skip-list Anti-analysis techniques 
Extension skip-list Use of wevtutil 
CreateMutexA Use of Icacls Use of fsutil file setZeroData 
internet check-in Use of bcdedit 
Deleting restore points Multi-threading 
Deleting shadow copies Persistence 
IstrcmpiW comparisons Key blob in files 
Plain-text strings Use of filemarker 
Single-threading Cybercrime forum presence 
Ransom wallpaper Obfuscated strings 
CIS check Privilege Escalation 
FindNextFileW comparison 
Lang!D check 
Ransom email 
Ransom extension 
Ransom wallpaper 
Ransom note 
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Maturity Level 


Advertising the goods 


As with most ransomware, LockBit maintains a forum topic on a well-known underground 
web board to promote their product. Ransomware operators maintain a forum presence 
mainly to advertise the ransomware, discuss customer inquiries and bugs, and to advertise 
an affiliate program through which other criminals can lease components of the ransomware 
code to build their own ransomware and infrastructure. 


In January, LockBit's operators created a new thread in the web board's marketplace forum, 
announcing the "LockBit Cryptolocker Affiliate Program" and advertising the capabilities of 
their malware. The post claims that the new version had been in development since 
September of 2019, and emphasizes the performance of the encryptor and its lower use of 
system resources to prevent its detection. 
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SOPHOSLAbS 


Разработка локбита ведется с сентября 2019 года, дешифровать не смогли, попытки 
были. 


Привет, друзья! 


Никаких школьных емелйов, многопоточности, которая, по факту, больше грузит систему, 
чем шифрует, здесь нету. 


Софт написан на си и асамблере, шифрование через IO порт завершения, порт-сканер по 
локальным подсетям, находит все шары DFS, SMB, WebDav, админка в торе, 
автоматическая тестововая дешифровка, выдача декриптора, чат с PUSH 
уведомлениями, Jabber-6or пересылающий переписку, завершение служб/процессов по 
списку и мешающих открыть файл в моменте. Установка прав на файл и снятие 
блокирующих атрибутов, удаление теневых копий, очистка логов, монтирование скрытых 
разделов, drag'n'drop файлов и папок, консольный/скрытый режим работы. Шифрует 
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forum post announcing LockBit’s affiliate program. 

LockBit's post indicates that “we do not work in the CIS,” meaning that the ransomware will 
not target victims in Russia and other Commonwealth of Independent States countries. This 
comes as no surprise—as we have seen previously, CIS authorities don’t bother 
investigating these groups unless they are operating against targets in their area of 
jurisdiction. 


That does not mean that the LockBit group won't do business with other CIS-based gangs. In 
fact, they won’t work with English-speaking developers without a Russian-speaking 
“guarantor” to vouch for them. 


Escalating the extortion 


In this most recent evolution of LockBit, the malware now drops a ransom note that threatens 
to leak data the malware has stolen from victims: “!!! We also download huge amount of your 
private data, including finance information, clients personal info, network diagrams, 
passwords and so on. Don't forget about GDPR.” 


All your important files are епсгурте 

Any attempts to restore your files ith the thrid- күн software wil] be fata! for your files! 
RESTORE YOU DATA POSIBLE ONLY BUYING private key from 

There is only one way to get your files back: 


| 1. Download Tor browser - https i — огр ust org/ and ins і 
| 2, Open Bi TOR browser "http: 52tvrmwk . onion/?| 
| 3. Follow the instructions on this page 


ore Attention! ees 

* Do not rename encrypted files. 

Ф Do not try to decr using third pasty software, it may cause permanent data loss. 

* Decryption of your files T the help of third parties may cause increased price(they add their fee to our). 

* Tor Browser may P be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. 
Ф Tor Browser user manual https: / /tb-manual. torproject. org/about 


111 we also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so опл. 
Don't forget about GDPR. 


LockBit ransom note 
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If the threat were to be carried out, it might result in real-world sanctions against the 
ransomware victims from regulators or privacy authorities—for example, for violating the 
European Union's General Data Privacy Rules (GDPR) that make companies responsible for 
securing sensitive customer data in their possession. 


An increasing number of ransomware gangs use extortion that threatens the release of 
private data, which might include sensitive customer information, trade secrets, or 
embarrassing correspondence to incentivize victims to pay the ransom, even if they have 
backups that prevented data loss. The data leak threat has become a signature of the REvil 
and Maze ransomware gangs; the Maze group has gone as far as to publicly publish chunks 
of data from victims who fail to pay by the deadline, taking down the dumps when they are 
finally paid. 


Picking through LockBit's code 


From a first glance at the recent LockBit sample with a reverse-engineering tool, we can tell 
that the program was written primarily in С++ with some additions made using Assembler. 
For example, a few anti-debug techniques employ the fs:30h function call to manually check 
the PEB (Process Environment Block) for the BeingDebugged flag, instead of using 
IsDebuggerPresent(). 


The first thing the ransomware does at execution is to check whether the sample was 
executed with any parameters added from the command line. Usually, this is done to check 
for whether the sample is being executed in a sandbox environment. Contemporary malware 
often requires that the command to run the malware use specific parameters to prevent the 
malware from being analyzed by an automated sandbox, which often execute samples 
without parameters. But the LockBit sample we examined doesn't do that—it won't execute if 
there is any parameter entered from the command line. If there are no arguments in the 
command that executes it, Lockbit hides its console output, where the malware prints debug 
messages, and proceeds to do its job. 
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ebp {var_4} 
ebp, esp 
esp, Oxffffff 
esp, Ox2e4 
ebx {уаг_2+0} 
esi {уаг_2+4} 
edi {уаг_2+8} 
eax, [е5р+0х10 {var_2e8}] 
dword [езр+0х16 {var_2e8}], ©х& he command-line 
eax {var_2e8} {var_2fc} 
dword [ ] 
eax {var_300} 
dword [ 
040f999 dword [esp*0x10], 
// check if arg[c] ›= 2 


quor [esp*Oxc {var_2f4_1}], eax 
2 (0x0) 


parameter checker in LockBit halts the ransomware if there’s any parameter passed. 

This could be intended to detect if the sample was executed in a sandbox environment. But 
it's possible that either the malware author made a mistake in the implementation of the 
check (and wanted to check the other way around), or that this behavior is just a placeholder, 
and future versions will introduce different logic. 


Hiding strings 


LockBit's author also used several techniques to make it more difficult to reconstruct the 
code behind it. The Portable Executable (PE) binary shows signs of being heavily optimized, 
as well as some efforts by the group to cover their coding tracks—or at least get rid of some 
of the low-hanging fruit that reverse engineering tools look for, such as unencrypted text 
strings. 


Those heavy optimizations also increase LockBit's performance. The binary makes heavy 
use of Intel's SSE instruction set and architecture-specific features to boost its performance. 
That includes the use of multiple XMM registers used to store and decrypt the service 
names, process names and other strings used to interact with the operating system that are 


uide to the ransomware. 
ita:00419440 xmmword 419440 xmmword 3C3720312E5E3F2A3F3A5E2831275E38h 


1ata:00419450 xmmword 419450 xmmword 3E29242F 223920000804001D1F1F014Ch 


150 XREF leobf e e e 


3ta:00419460 xmmword 419460 xmmword 3F271F20242A2938210C7C7E3F 271F48h 
i ‚+ а:00419460 ‚ DAT «ДЕ je f 
jata:00419470 xmmword 419470 xmmword 40456401556101495E43585F497E702Ch 
:ta:00419480 xmmword 419480 xmmword 415458475453587C4C47504064417835h SoPHOSlobs 


jata:0041 


Xmmword eae store encrypted LockBit stings 
These string variables get decrypted on the fly with a 1-byte XOR key unique to each string: 
the first hex byte of every variable. 
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Almost all the functions contain a small routine that loops around and is т charge of 
decrypting hidden strings. In this case, we can see that how the original 
MSSQLServerADHelper100 service name gets de-obfuscated: the malware leverages a 
one-byte “OA” XOR key to decrypt the plaintext service name. 


=== - r 
7 я: HN. = ] 


Din I mon ча О LI LI c d i Е 
848424 5E0400 тоу al,byte ptr 55:  еѕр+45 
30840С 5270400 xor byte ptr 55: Шеѕр+есх+45 РШ, а1 


sis 315 
00408760 
00408767 
004087 6Е 
0040876F 
00408772 
DU Di / / 

00408778 хог ecx,ecx 
0040877D 04 mov byte ptr ss:fJesp+4759,0 
00408785 movups xmmword ptr ss:Eesp-«412], xmmo 


00408798 C78424 260404 mov dword ptr $5:[е5р+426],21352423 
4 Q31PHOCGIOLU 
0204F7BE 00 00 00/00 00 70 
0204Е7СЕ | А1 76 OO 00/00 OO ОО 
0204Е70Е | 00 OO OO 00/00 OO OO 
O204F7EE 
0204F7FE 
0204F80E : t AV_CS_ADMIN_KIT. 
0204F81E|7D 49 GE 74/75 2Е | 51 75 69 JIntuit.QuickBoo 
0204Е82Е | 6В 73 2E 46|43 53 00 00/28 00 EO SF/2B 00 00 82| К5.ЕС$..+.а_+... 
0204Е83Е | 54 00 ВА A6|D4 77 10 82 |54 00 DO 00 00 OO EE FE|T.?;Ów..T.D... ip 
0204Е84Е | ЕЕ FE 44 00|00 OO EO 7Е |54 00 00 00/53 00 EO ВЕ | їро...а.т...5.а. 
0204F8SE|54 OO FO 54|[28 00 00 00/00 OO АЗ 3C|CF 77 00 OO| T. ÓOT*.....£«Iw.. 
0204Е86Е | 00_ 00 7Е_00|00 OO 60 F9|04 02 2A 3C|75 53 51 4C|...... ü..*«uSQL 
0204Е87Е | 41 67 65 6Е |74 24 56 45|45 41 4D 53/51 4C 32 30|Agent$VEEAMSQL2O 
0204Е88Е | 31 32 OO 5Е |76 60 77 61|72 65 20 75/73 62 61 72|12.^vmware-usbar 
0204F89E|62 69 74 61|74 GF 72 36 34 00 61 51|42 43 46 4D|bitator64.aQBCFM 
0204FS8AE|6F GE 69 74|6F 72 53 65|72 76 69 63/65 00 ЗЕ 4D|onitorService.?M 
0204F8BE|53 53 51 4C|24 4D 49 43|52 4F 53 4F|46 54 23 23| SSQLSMICROSOFT## 
0204F8CE|57 49 44 00|04 07 7Е 00|00 00 00 00/00 00 44 00/WID...........D. 
0204F8DE 00 00/00 OO 14 02 |00 OO 3D 40 |53 53 51 4C|..........-MSSQL 
O204FS8EE 49 43|52 4F 53 4Е|46 54 23 SMICROSOFT##WID. 


da 


ооо Оо Зоо осо о 
A PERERERERERILI) 


2MSSQL$K 


0204Е7ВЕ | 00 00 OO 00/00 OO 70 18/53 00 OO 00/00 OO 00 00|......р.5....... 
0204Е7СЕ | А1 76 OO 00/00 OO OO 00/00 00 OO 00/00 00 OO 00| 1У.............. 
0204Е70Е | 00 OO OO 00/00 OO OO 00/00 00 00 00/00 00 OO 00|................ 
0204F7EE T Е ЕЗ : : 

0204F7FE 32 4D 53 53/51 4C 24 4B 2MSSQL$K 


0204FSOEl 41 56 à SF AV. CS, ADMIN. KIT. 
0204Е81Е |70 49 6E 74|75 63|68 42 6F 6F| }Intuit.QuickBoo 
0204Е82Е | 68 73 2E 46|43 53 00 00|28 00 EO 5Е|2В 00 00 82|ks.FCS..*.à +... 
0204F83E|54 00 ВА A6|D4 77 10 82|54 00 DO 00 00 00 EE FE|T.?:Ów..T.D... b 
0204F84E|EE FE 44 00|00 00 EO 7F|54 00 00 00|53 00 EO 8Е|1р0...а.Т...5.а. 
0204F85E|54 00 FO 54|28 ОО 00 00|00 00 АЗ 3C|CF 77 00 OO| T.OT*.....£«Iw.. 
0204F86E|00 99 7Е_00|00 OO 60 F9|04 02 2A 3C|75 53 51 4C|...... ü..*«uSQL 
0204F87E|41 67 65 6E|74 24 56 45|45 41 4D 53|51 4C 32 3O0|Agent$VEEAMSQL20 
0204Е88Е | 31 32 OO 5E|76 60 77 61|72 65 20 75|73 62 61 72|12.^vmware-usbar 
0204F89E|62 69 74 61|74 6F 72 36|34 00 61 51|42 43 46 4D|bitator64.aQBCFM 
0204FBAE|6F 6E 69 74|6F 72 53 65|72 76 69 63|65 00 ЗЕ 40 | опітогѕегуісе. ?М 
0204F8BE|53 53 51 4C|24 4D 49 43|52 4F 53 4F|46 54 23 23| SSQLSMICROSOFT## 
0204F8CE|57 49 44 00|04 07 ГЕ 00|00 00 00 00/00 OO 44 OO|WID...........D. 
0204F8DE |00 OO OO 00|00 OO 14 02|00 OO 3D 4D|53 53 51 4C|..........-MSSQL 
0204F8EE|24 4D 49 43|52 4F 53 4F|46 54 23 23|57 49 44 00| $MICROSOFT##WID. 


Deobfuscating service names in the source 


Check your privilege 
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То ensure that it can do the most damage possible, LockBit has a procedure to check 
whether its process has Administrator privileges. And if it doesn't, it uses a technique that is 
growing in popularity among malware developers: a Windows User Account Control (UAC) 
bypass. 


Leveraging OpenProcessToken, it queries the current process ма а TOKEN QUERY 
access mask. After that, it calls CreateWellKnownSid to create a user security identifier 
(SID) that matches the administrator group (WinBuiltinAdministratorsSid), so now the 
malware has a reference it can use for comparisons. Finally, it checks whether the current 
process privileges are sufficient for Administrator rights, with a call to 
CheckTokenMembership. 


© 20| if ( OpenProcessToken(-1, TOKEN QUERY, &TokenHandle) )// -1: CurrentProcess 
e 2 = 68; 
• 2 if ( Creasteiellknownsid(WinBuiltinAdministratorsSid, ©, vo, &v5) ) 
24| { 
® 25 if ( CheckTokenMembership(0, v6, &v1@) ) 
e 2 if ( v10 ) 
2€ ( 
'SILABEL 15: 
e 3e *v1 = 1; 
e 31 goto LABEL 16; 
e з if ( !GetTokenInformation(TokenHandle, TokenLinkedToken, &v7, 4, &v9) ) 
4 { 
e 35 $ = GetLastError(); 
°з if ( v4 != 1312 && v4 != 1314 ) 
37 ( 
e3 if (v4» ө) 
e 3c 2 = (unsigned  int16)v4 | exsee7eeoe; 
i else 
9 41 2 = 15 
42 } 
® 43 goto LABEL_16; | b 
- E soPHoslabs 
€ 45 if ( CheckTokenMembership(v7 5 ө) ) 


Checking Administrator SID against the ШӨН ine SID 

If the current process does not have Admin privileges, the ransomware tries to sidestep 
Windows UAC with a bypass. In order for that to succeed, a Windows COM object needs to 
auto-elevate to Admin-level access first. 


To make this possible, LockBit calls a procedure called supMasqueradeProcess upon 
process initialization. Using supMasqueradeProcess allows LockBit to conceal its process' 
information by injecting into a process running in a trusted directory. And what better target is 
there for that than explorer.exe? 


The source code for the masquerade procedure can be found in a Github repository. 
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а = NtCurrentTeb( ) -»ProcessEnvironmentBlock; 
DeseAddress = 0; 
23 Size = 4096; 
24 if ( ‘Weallocatevirtualnenory( (tv LE)@xFFFFFFFF, &BaseAddress, Ө, &RegionSize, @x30@@u, 4u) >= Ө ) 


) м P 


GetwindowsDirectoryw@winDir, 0x104); 
е = 'е\0\\'; // C:\Windows \explorer.exe 
'р\@х’; 


niinn 
xX. 0 
a 
о 
3 


; 
; 
"лег"; 
; 


lstrcpyW(BaseAddress, winDir); 
lstrcatw(BaseAddress, &exe); 
} 
RtlAcquirePebLock(); 
17-8; 
*( DWORD *)SourceString = 'х\@е'; // explorer.exe 


0000000000 


= ; 
4; 4 s "лее": 
1 = А 
lI = 'е\0х'; 
45 aclinieunicodestring(® 6-»ProcessParameters-»ImagePathName, (PCWSTR)BaseAddress); 


RtlInitUnicodeString(&ve@->ProcessParameters->CommandLine, SourceString); 
RtlReleasePebLock(); 


sh return LdrEnumerateLoadedModules(@, EnumProc, ©); SOPHOS labs 
LockBit "masquerades" as explorer.exe 

With the use of IDA Pro’s COM helper tool, we see two CLSIDs—globally unique identifiers 
that identify COM class object—that LockBit’s code references. CLSIDs, represented as 128- 
bit hexadecimal numbers within a pair of curly braces, are stored in the Registry path 
HKEY_LOCAL_MACHINE\Software\Classes\CLSID. 


0000000000000 
b5 5I 4 i b ш) 


; GUID CLSID IColorDataProxy 
CLSID IColorDataProxy dd @A16D195h ; Datal 


.rdata: 


dw 6F47h : Data2 

dw 4964h Data3 

db 92h, 87h, 9Fh, 48h, QABh, 6Dh, 98h, 27h; Data4 
ID CLSID ICMLuaUti 


)0418F68 CLSID ICMLuaUtil dd 6EDD6D74h ; Datal 


ata2 


"data:0041 dw @C@@7h ; 
SOPHOS — dw 4€7Sh Data? 
db 087h, 6Ah, @ESh, 74h, 9, 95h, @E2h, 4Ch; Data4 
CLSIDs recognized by IDA. 
Looking up these reveals that the two CSLIDS belong to IColorDataProxy and ICMLuaUtil 
—both undocumented COM interfaces that are prone to UAC bypass. 


m £g UU 


Name CLSID DLL 

CMSTPLUA (SESFC7F9-9A51-4367-9063- .. \system32\cmstplua.dll 
A120244FBEC7} 

Color {D2E7041B-2927-42fb-8E9F- .. \system32\colorui.dll 

Management 7CE93B6DC937} 
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Masquerading as explorer.exe, LockBit calls ColnitializeEx to initialize the COM library, with 
COINIT MULTITHREADED and COINIT DISABLE OLE1DDE flags to set the concurrency 
model. The hex values here (CLSIDs) are then moved and aligned into the stack segment 
register, and the next function call (lockbit.413980) will further use them. 


FF15 64534100 
8985 BOFEFFFF 
BD4F 41 

33CO 


C745 84 78003300 
66:8945 DO 

BA 688F4100 

8045 FS 

C745 88 45003500 
50 

51 

8040 84 

С745 8С 46004300 
C745 90 37004600 
C745 94 39002000 
C745 98 39004100 
C745 9C 35003100 
C745 AO 2D003400 
C745 A4 33003600 
C745 AB 37002000 
C745 AC 39003000 
C745 BO 36003300 
C745 B4 20004100 
C745 B8 31003200 
C745 BC 30003200 
C745 CO 34003400 
C745 C4 46004200 
C745 CB 45004300 
C745 CC 37007000 
ЕВ 73FDFFFF 


UAC bypass step 1 


Сай dword ptr ат иза 
mov dword ptr ss:Bebpp-1S0J, eax 


Теа ecx,dword ptr 25: [е01+41] 
хог eax,eax 

mov dword ptr X vu „330078 
mov word ptr ss:Qebp-30§, ах 

mov edx,lockbirt.418F68 

Теа eax,dword ptr 55: [ебр-& 


mov dword ptr ss:Bebp-7s8J, 350045 
push eax 

ush ecx 

ea ecx,dword ptr ss:febp-7cg 
mov dword ‚430046 
mov dword „460037 
mov dword 4,200039 
mov dword s lockbit. 410039 
mov dword ‚310035 
mov dword » 340020 
mov dword 2360033 
mov dword » 200037 
mov dword ‚300039 
mov dword ‚330036 
mov dword $,lockbit.410020 
mov dword ‚320031 
mov dword ‚320030 
mov dword ‚340034 
mov dword ‚420046 
mov dword » 430045 
mov dword 4,700037 
can 


ptr 55: ебр-5й 


v 0Е88 F7000000 js 
33CO xor eax,eax 
C785 34FFFFFF 78004400 |mov dword ptr ss:febp-ccJ,440078 
66:8945 80 mov word ptr 55:фебр-80, ах 
804Е 43 Теа ecx,dword ptr 25: [е01+43) 
8045 FC Теа eax,dword ptr 55:фебр-4] 
C785 38FFFFFF 32004500 |mov dword ptr 55: ebp-csj, 450032 
50 push eax 
51 push ecx 
BA 588F4100 mov edx,lockbit.418F58 
C785 3CFFFFFF 37003000 |mov 
8080 34FFFFFF lea 
C785 40FFFFFF 34003100 | mov 
C785 44FFFFFF 42002000 | mov 
C785 48FFFFFF 32003900 | mov 
C785 4CFFFFFF 32003700 | mov 
C785 SOFFFFFF 20003400 | mov 
C785 S4FFFFFF 32006600 | mov 
C785 SBFFFFFF 62002000 | mov 
C785 SCFFFFFF 38004500 | тоу 
C785 GOFFFFFF 39004600 | mov 
C785 64FFFFFF 20003700 | mov 
C785 68FFFFFF 43004500 | mov 
C785 6CFFFFFF 39003300 | mov 
C785 7OFFFFFF 42003600 | mov 
C785 74FFFFFF 44004300 | mov 
C785 78FFFFFF 39003300 | mov 
C785 7CFFFFFF 37007000 | mov 
ЕВ — 
8870 FC | mov x ptr 55: Шерр-42 


UAC bypass step 2 


ecx:L" {3ESFC7F9-9A5 1-4367-9063-A120244FBEC7}" 


eCX:L"(3ESFC7F9-9A51-4367-9063-A120244FBEC7] " 


soPHoslobs 


e€cx:L"(D2E70418-2927-42f b-8E9F-7CE93860C 937)" 


ecx:L"(D2E70418-2927-42fb-8E9F-7CE93860C937)" 


soPHOslabs 


|elevate admin 


Lockbit.413980 hosts the COM elevation moniker, which allows applications that are 
running under user account control (UAC) to activate COM classes (via the following format: 
Elevation:Administrator!new:{guid} ) with elevated privileges. 


The malware adds the 2 previously seen CLSIDs to the moniker and executes them. 
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mov 
mov 
call 
push 
lea 
push 
call 
lea 
push 
push 
lea 
push 
lea 
push 
call 
mov 


eax, [ебр+уаг_26С] 
[ebp+var_50], 4 

eax 

[ebp*var 40], 6c0045h ; Elevation COM Object Moniker 
[ebprvar 3C], 760065h 
[ebp*var 38], 7400611 
[ebp*var 34], 6200698 
[ebptvar 30], 3A@@6Eh 
[ebp*var 2C], 640041h 
[ebp*var 28], 6900608 
[ebp*var 24], 69@@6Eh 
[ebptvar 20], 740073h 
[ebptvar 1C], 610072h 
[ebp*var 18], 6F0074h 
[ebptvar 14], 210072h 
[ebprvar 10], 65@@6Eh 
[ebp*var C], 3A@@77h 
ds:lstrcpyW ; Elevation:Administrator!new: 
esi 

eax, [ебр+уаг_26С] 
eax 

ds:lstrcatW 

eax, [ebp*var 4] 

eax 

edi 

eax, [ebp*var 64] 

eax 

eax, [ebp*var 26C] 
eax 


е soPHoslobs 


he COM 


Elevation Moniker in use. 

Now, the privilege has been successfully elevated with the UAC bypass and the control flow 
is passed back to the ransomware. We also notice two events and a registry key change 
during the execution: 


C:WINDOWS\SysWOWG6A4\DIIHost.exe /Processid:(3E5FC7F9-9A51-4367-9063- 
A120244FBEC7) 


C:\WINDOWS\SysWOW6A4\DIlHost.exe /Processid:{D2E7041B-2927-42fb-8E9F- 
7CE93B6DC937} 


Key: Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration 


Value: DisplayCalibrator 


Kill or skip 


LockBit enumerates the currently running processes and started services via the API calls 
CreateToolhelp32Snapshot, Process32First, Process32Next and finally OpenProcess, 
and compares the names against an internal service and process list. If one process 
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matches with one оп the list, LockBit will attempt to terminate it ма TerminateProcess. 


The procedure to kill a service is a bit different. The malware will first connect to the Service 
Control Manager via OpenSCManagerA. It then attempts to check whether a service from 
the list exists via OpenServiceA. If the targeted service is present, it then tries to determine 
its state by calling to QueryServiceStatusEx. Based on the status returned, it will call 
ControlService with the parameter SERVICE CONTROL STOP (0x00000001) on the 
specific service to stop it. But before that, another function (0х40Е310) will cycle through all 
dependent services in conjunction with the target service, so dependencies are stopped too. 
The malware will initiate calls to EnumDependentServicesA to achieve this. 


FF15 58504100 САП dword ptr Am 
894424 14 mov dword ptr ss:Besp+i4j, eax 
85CO test eax,eax 
~ 75 OF us 04640291322885343087 0104903206 325173700ff48096106€905 082 0822915f. 400477 
FF15 54514100 dword ptr ds: 
B 05 cmp eax,5 
A — ptr р тууы, | 


B3F 
mov dword ptr 55: е5р+598ф,еах [esp«598] : "wrapper" 
d ptr ss:Eesp-143] 


eax: “Intuit. QuickBooks., PEs" 


eax: “Intuit.QuickBooks.FCs™ 
v ОҒ84 37050000 
808424 7Ғ010000 
898424 96050000 
508424 43010000 
898424 9С050000 
808424 А0010000 
898424 50050000 
508424 FBO10000 
895424 44050000 
508424 60010000 
898424 48050000 
508424 20010000 
898424 ACOSOO00 
808424 B&FO10000 
898424 &0050000 
808424 C9010000 
898424 B4050000 
BD8424 77020000 
898424 65050000 


[е5р+5 9C]: "Defwatch" 
[esp*5A0] : "ccEvtMgr " 
[e5p*5A4]: "ccsetugr " 
[esp*5A8] : "SavRoan" 
[espe*54AC]: "Sqlservr" 
[espe580]:"sqlagent" 
[e$p*584]: “sqladhip” 
[esp*588]: "Culserver" 
[esp*58C] : "RTVscan^ 


[е5р+5С0] : “sqibrowser™ 


898424 C4050000 ss: А [esp+5C 4): “SQLADHLP™ 
805424 07020000 Теа eax,dword ptr 7 

898424 С5050000 mov dword ptr 55: фе sj, eax SOPHOS Q $ [esp+5cs] +: "QBIDPService" 
808424 52040000 lea eax,dword ptr ss:Besp-4sry 

R4R424 CCO«OO00n lanv rwnrd ore --:fesn-5cC1.0ax | 


Hardcoded service names being checked against running services 

The services that the malware tries to stop include anti-virus software (to avoid detection) 
and backup solution services. (Sophos is not affected by this attempt.) Other services are 
stopped because they might lock files on the disk, and might make it more difficult for the 
ransomware to easily acquire handles to files—stopping them improves LockBit's 
effectiveness. 


Some of the services of note that the ransomware attempts to stop, in the order they are 
coded into the ransomware, are: 


DefWatch Symantec Defwatch 

ccEvtMgr Norton AntiVirus Event Manager Service 

ccSetMgr Symantec Common Client Settings Manager Service 
SavRoam Symantec AntiVirus suite 

RTVscan Symantec AntiVirus 

QBFCService QuickBooks is an accounting software 
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QBIDPService 

Intuit. QuickBooks.FCS 
QBCFMonitorService 
YooBackup 

YoolT 

zhudongfangyu 

sophos 

stc_raw_agent 

VSNAPVSS 
VeeamTransportSvc 
VeeamDeploymentService 
VeeamNFSSvc 

veeam 

PDVFSService 
BackupExecVSSProvider 
BackupExecAgentAccelerator 
BackupExecAgentBrowser 
BackupExecDiveciMediaService 
BackupExecJobEngine 
BackupExecManagementService 
BackupExecRPCService 
AcrSch2Svc 

AcronisAgent 
CASAD2DWebSvc 
CAARCUpdateSvc 


QuickBooks for Windows by Intuit, Inc.. 
QuickBooks for Windows by Intuit, Inc.. 
QuickBooks for Windows by Intuit, Inc.. 
Wooxo Backup 

Wooxo Backup 

360 by Qihoo 360 Deep Scan 

Sophos 

STC Raw Backup Agent 

StorageCraft Volume Snapshot VSS Provider 
Veeam Backup Transport Service 

Veeam Deployment Service 

Veeam Backup and Replication Service 
Veeam 

Veritas Backup Exec PureDisk Filesystem 
Veritas Backup Exec VSS Provider 
Veritas Backup Exec Agent Accelerator 
Veritas Backup Exec Agent Browser 
Veritas Backup Exec Media Service 
Veritas Backup Exec Job Engine 

Veritas Backup Exec Management Service 
Veritas Backup Exec RPC Service 
Acronis Scheduler Service 

Acronis Agent 

Arcserve UDP Agent service 


Arcserve UDP Update service 
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In addition to the list of services to kill, LockBit also carries a list of things not to encrypt, 
including certain folders, specific files and files with certain extensions that are important to 
the operating system—since disabling the operating system would make it difficult for the 
victim to receive and act upon the ransom note. These are stored in obfuscated lists within 
the code (shown below), A function within LockBit uses the FindFirstFileExW and 
FindNextFileW API calls to read through the file names and folder names on the targeted 
disk, and then a simple IstrempiW function is called to compare the hardcoded list with 
those names. 


Accelerating file encryption 


Recently, we have seen ransomware groups taking more advanced concepts and applying it 


to their craft. One of these advanced concepts applied in LockBit is the use of Input/Output 
Completion Ports (IOCPs). 


IOCPs are a model for creating a queue to efficient threads to process multiple 
asynchronous I/O requests. They allow processes to handle many concurrent asynchronous 
I/O more quickly and efficiently without having to create new threads each time they get an 
I/O request. 
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1/0 Completion Port Operation 


Incoming client request 


я 
> өөө 


Threads blocked on the completion port 


Perform CPU 
processing (active) 


Perform file 1/0 - Block 
(inactive) 


Perform CPU processing 
(active) 


“с 
Reference: Windows Internals Part 2. by Mark E. Russinovich, David А. Solomon, and Alex lonescu SOPHOS!O O 3 


That capability makes them well-suited to ransomware. The sole purpose of ransomware is 
to encrypt as many delicate files as possible, rendering the user's data useless. REvil 
(Sodinokibi) ransomware also uses IOCPs to achieve higher encryption performance. 


LockBit's aim was to be much faster than any other multi-threaded locker. The group behind 
the ransomware claims to have used the following methods to boost the performance of their 
file encryption: 


• Open files with the FILE FLAG NO BUFFERING flag, write by sector size 
e Transfer work with files to Native API 

e Use asynchronous file I/O 

e Use I/O port completion 

e Pass control to the kernel yourself, google KiFastSystemCall 
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Once а file is marked for encryption—meaning, it did not match entries on the skip-list—a 
LockBit routine checks whether the file already has a .lockbit extension. If it does not, it 
encrypts the file and appends the .lockbit extension to the end of the filename. 


Lockbit relies on LoadLibraryA and GetProcAddress to load bcrypt.dll and import the 
BCryptGenRandom function. If the malware successfully imports that DLL, it uses 
BCRYPT USE SYSTEM PREFERRED RNG which means use the system-preferred 
random number generator algorithm. If the malware was unsuccessful calling bcrypt.dll, it 
invokes CryptAcquireContextW and CryptGenRandom to invoke the Microsoft Base 
Cryptographic Provider v1.0 and generates 32 bytes of random data to use as a seed. 


e v25 = 0x30002E; // Microsoft Base Cryptographic Provider v1.0 
® 54| strcpy( » "bcrypt.d11"); 
EI = LoadLibraryA( ); 
e if ( !v2 ) 
e if ( !CryptAcquireContextw(& ‚ое, » lu, ӨхРӨ@ӨӨӨӨӨ) )// CRYPT VERIFYCONTEXT 
E return 6; 
goto else; 

) 
2 strcpy( (e, "BCryptGenRandom"); 
е $ = GetProcAddress(v2, me); 
hd if ( ) 

( 
B (¢ 1 ( td X , { , › t)) (e, TT( p © › 2); 
return 1; 

} 
= t = CryptAcquireContextw( (ams | ‚0, , lu, exreeeeo00); 
if ( t) 

{ 

2е15е: 
3 if ( !CryptGenRandom( ‚9 А fer) )// 32 bytes random data at *Өх18ЕРР8 (Ox18F404) 
5 CryptReleaseContext( , 9); 
Ф return 0; 
} 

e return 1; 

} 
e retur 1+; 
e m return soPHoslabs 


BCryptGenRandom in use 

Also, at this stage, the hardcoded ransom note, Restore-My-Files.txt, gets de-obfuscated 
and the ransomware drops the .txt file in every directory that contains at least one encrypted 
file. 


Victim ID 


LockBit creates 2 registry keys with key blobs as values under the following registry hive: 
HKEY CURRENT USERSoftwareWockBit 


The two registry keys are: 


LockBit\full 
LockBit\Public 


These registry keys correlate with the Victim ID, file markers, and the unique TOR URL ID 
that LockBit builds for each system it takes down. 
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Let’s take the unique TOR URL from the ransom note: 


re encrypted? 

" files with the thrid-party software will be fatal for your files? 
LY BUYING private key from us. 
Pt your files back: 


https://www.torproject.org/ and install it. 
jer http://lockbitks2tunnuk.onion/?600C1558081DD8CB8018E869271702DB 148 


LockBit ransom note 
In this example, the 16 byte long unique ID is at the end of the URL, 
http://lockbitks2tvnmwk[.]onion/?2A0C 155001DD0CB01AE0692717A2DB144A : 


e The first 8 bytes used here (A0C155001DD0CB01)is the first 8 bytes of the file marker 
that is present in every encrypted file's end . 

File marker э WU == 

e The last 8 bytes (AE0692717A2DB 144) is the first 8 bytes of the Public registry key. 
The file marker (0x10 long) is divided into 2 sections: 
A0C155001DD0CB01 
The first 8 bytes of the file marker and the first 8 bytes of the TOR unique URL ID. 
D4EA7A79A0835006 
The second 8 bytes are same for all encrypted files in a given run 


Also, the value of the full registry key (0x500 long, starting as 
1A443C7179498278B40DC082FCF8DE26... in this example) is also present in every 
encrypted file, just before the file marker. 
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Name — | | | | Те X  .|Data 


аб (Default) REG, SZ (value not set) 
‘o| full REG BINARY 1а 44 3c 71 79 49 82 78 b4 04 c0 82 К f8 d 
‘o| Public REG BINARY ae 06 9271 7a 2d b1 4a 14 60 be dd 28 08 


Edit Binary Value | х| 


0018 B1 31 ВВ OE ЕЗ АС D8 9D +1».а-@. 
LockBit registry keys (full and Public) that are related to the victim machine. 


Share enumeration 


For a successful ransomware hit and run, the goal is to encrypt as many files as possible. So 
naturally, LockBit scans for network shares and other attached drives with the help of the 
following API calls. 


First, the malware enumerates the available drive letters with a call to GetLogicalDrives, 
then it cycles through the found drives and uses a call to GetDriveTypeW to determine 
whether the drive letters it finds are network shares by comparing the result with 0х4 
(DRIVE REMOTE). 


Once it finds a networked drive, it calls WNetGetConnectionW to get the name of the share, 
then recursively enumerates all the folders and files on the share using the 
WNetOpenEnumW, WNetEnumResourceW API calls. 


The ransomware can also enter network shares that might require user credentials. LockBit 
uses the WNetAddConnection2W АРІ call with parameters /pUserName = 0 and 
IpPassword = 0, which (counterintuitively) transmits the username and password of the 
current, logged in user to connect to the given share. Then it can enumerate the share using 
the NetShareEnum АР! call. 
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.text:00408B5D 8D 45 EC eax, [ebp*var 14] 
.text:00408B60 50 eax 

.text:00408B61 FF 15 84 51 41 00 ds:GetDriveTypeW 
.text:00408B867 83 F8 04 eax, 4 ; DRIVE REMOTE 
.text:00408B6A OF 85 AO 00 00 00 loc 408C10 


. text: 00408878 
. text : 00408875 [ebp+var_8], 512 


.text:00408B7C ds:malloc 
.text:00408B882 esp, 4 

.text:00408B85 esi, eax 

. text : 00408887 eax, [ebp*var 8] 
.text:00408B8A eax ; lpnLength 
.text:00408B8B esi ; lpRemoteName 
.text:00408B8C eax, [ерр+уаг 14] 
.text:00408B8F eax ; lpLocalName 
. text : 00488890 ec 52 41 00 ds:WNetGetConnectionW 
.text:00408B96 esi 

.text:00408B97 eax, eax 


.text:00408899 SOPHOS labs j short loc 408C0B 


Enumeration of attached, remote drives 


Don't quit just yet 


| an attempt to ensure that LockBit would not be kept from finishing its job by a system 
shutdown, the developers of this ransomware implemented a small routine that uses a call to 
ShutdownBlockReasonCreate. 


The developers didn't try to conceal the ransomware as the cause of the shutdown block: the 
ransomware sets the message for blocking shutdown as LockBit Ransom. Computer users 
would also see the message LockBit Ransom under the process' name. 


SetProcessShutdownParameters is also called to set the shutdown order level of the 
ransomware's process to 0, the lowest level, so that the ransomware's parent process will be 
active as long as it can, before a shutdown terminates the process. 


If the system is shut down, the malware also has capability to persist after a reboot. LockBit 
creates a registry key to restart itself under 
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, called XO1XADpO01. 


мыт= ыы RAN Cui LL T 


50 push eax eax:L"XO1XADpOoo01" 

6A 00 push O 

8D45 E4 Теа eax,dword ptr ss:Eebp-1cg 

50 push eax eax:L"XO1XADpOO01" 

FF75 FC ush dword ptr ss:febp- 

FFi15 70504100 can dword ptr ЕН iod» mE 

85CO test eax,eax eax:L"XO1XADpOO01" 
v 75 1F 

8D85 7CFDFFFF Теа eax,dword ptr 55: ebp-284] 

Е ү PHOSlabs 

8085 6СЕЭЕЕЕЕ Теа eax.dword отг ==: Веро-6941 


Placing a persistence Run key іп registry 
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Stop me if you’ve heard this before 


LockBit prevents multiple ransomware instances on a single system by way of a hardcoded 
mutex: Global\{BEF590BE-11A6-442A-A85B-656C1081E04C}. Before LockBit starts 
encrypting, the ransomware checks that the mutex does not already exist by calling 
OpenMutexA, and calls ExitProcess if it does. 


As soon as the ransomware is mapped into memory and the encryption process finishes, the 
sample will execute the following command to maintain a stealthy operation: 


e exe /C ping 1.1.1.1 -n 22 > Nul & \’%s\” (earlier version of LockBit) 
• exe /C ping 127.0.0.7 -п 3 > Nul & fsutil file setZeroData offset=0 length=524288 
"oos" & Del Л /q "Jos" (recent version of LockBit) 


The ping command at the front is used because the sample can't delete itself, due to the fact 
that it is locked. Once ping terminates, the command can delete the executable. 


We clearly see an evolution to the applied technique here: in the earlier versions, the sample 
was missing a Del procedure at the end, so the ransomware would not delete itself. 


In the recent version, the crooks had decided to use fsutil to basically zero out the initial 
binary to perhaps throw off forensic analysis efforts. After the file is zeroed out, the now null- 
file is deleted also, making double-sure the malware is not forensically recoverable. 


Language matters 


As we noted earlier, LockBit's developers wanted to avoid having their ransomware hit 
victims in Commonwealth of Independent States (CIS) countries. The mechanism used by 
the ransomware to achieve this calls GetUserDefaultLangID and looks for specific language 
identifier constants in the region format setting for the current user. If the current user's 
language setting matches any of the values below, the ransomware exits and does not start 
the encryption routine. 
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Ф 5| result = (unsigned X inti6)GetUserDefaultLangID(); 
e if ( ( WORD)result == @x82C // Azerbaijani (az) 
7 || (.WORD)result == @x42C // Azerbaijan, Latin (AZ) 
[ || (_WORD)result == @x42B // Агтеп1ап (һу) 
9 || (_WORD)result == 0x423 // Belarusian (be) 
10 || ( WwoRD)result == 0x437 // Georgian (ka) 
11 || ( WORD)result == @x43F // Kazakh (kk) 
12 || ( WoRD)result == 0x440 // Kyrgyz (ky) 
) || ( WoRD)result == @x819 // Russian (Moldova) 
14 || ( WoRD)result == @x419 // Russian (ru) If 
15 || ( WORD)result == @x428 // Tajik (tg) 
Lé || (_WORD)result == 0x442 // Turkmen (tk) 
17 || ( WwoRD)result == ex843 // Uzbek (uz) 
18 || (.WORD)result == @x443 // Uzbekistan, Latin (UZ) 
19 || (.WORD)result == @x422 ) // Ukrainian (uk) 
j| ( 
e 21 ExitProcess(0); 
® 23| return result; 


20 soPHOslobs 


your computer's UserDefaultLangld is set to one of these values, LockBit does no damage 


Changing the wallpaper 


To get the affected user's attention, the malware (as is typical) creates and displays a 
ransom note wallpaper. A set of АР! calls are involved in this process, listed below. 


The created wallpaper gets stored under %APPDATA%\Local\Temp\A7D8.tmp.bmp. 


In the meantime, the malware also sets a few registry keys so that the wallpaper is not tiled, 
and the image is stretched out to fill the screen: 


HKEY CURRENT USERControl Panel\Desktop 


e TileWallpaper=0 — (No tile) 
e WallpaperStyle=2 — (Stretch and fill) 


Wallpaper used by a previous version of LockBit 


^+ } 


“for more informati 


Wallpaper set by a recent version of LockBit 


Stack Exchange for crooks 
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LockBit leverages a very similar service-list to MedusaLocker ransomware. It comes as no 
surprise that crooks copy these lists, so they don’t have to reinvent the wheel. 


The unique Registry run key and ransom note filename that was written by LockBit— 
XO1XADpO01 and Restore-My-Files.txt — were also seen being used by Phobos, and by 
a Phobos imposter ransomware. This would suggest that there is a connection between 
these families, but without further evidence that is hard to justify. 


А MalwareHunterTeam 


There's a ransomware faking Phobos ransomware... 


Note: Restore-My-Files.txt 
Extension: .phobos 
The "XO1XADpO01" mutex was seen before... 


The future for LockBit 


A recent Twitter post demonstrates what the future looks like for LockBit. In a recent LockBit 
attack, the MBR was overwritten with roughly 2000 bytes; The infected machine would not 
boot up unless a password is supplied. The hash of this sample is currently not known. 
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3 spacetrain3 1 


о @albertzsigovits @demonslay335 and 7 others 


Had a windows active directory server for a client that 
got hit by the ransomware, DiskGenius showed .lockbit 
files on the raw partition. Also had the boot record 
overridden to display a message on boot. Either it is the 
same variant or a newer variant of it. 


File Disk Partition Tools View Нар 


covery 


PULL disk encryption? Contact ondrugs@f irenai] сс 


enter password: 


24x 
—— 


< ое) (Damaged) 
9? MOS8NZ00UME аз 
DO Users | \ 520000004 bkf. lock 


<= DAT 7 
Е аоз мт) (Damaged) Ч 5 


Feb. Twitter Web App 


https://twitter.com/spacetrain31/status/1232296412378955776 
The e-mail used for extortion ondrugs@firemail.cc was also seen with STOP ransomware— 
an uncanny connection. The group behind might be related. 


There is also speculation that application Diskcryptor was combined with the ransomware to 
add this extra lockdown layer. The MAMBA ransomware was also using this technique, 
leveraging Diskcryptor to lock the victim machine. DiskCryptor is currently being detected as 
AppC/DCrpt-Gen by Sophos Anti-Virus. 


A list of the indicators of compromise (loCs) for this post have been published to the 
SophosLabs Github. 
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